the pulumi project for managing these providers is not fit for purpose. We should create a deployment script that manages this for us

Template and deploy the workflow in https://github.com/pulumi/pulumi-yandex/blob/master/.github/workflows/update-upstream-provider.yml to all non-forked providers.

Depends on https://github.com/pulumi/platform-integrations-team/issues/7

https://github.com/c-hive/gha-remove-artifacts

If a provider has a directory called provider/shim, the update-upstream-provider workflow should:

1. Update the reference to the upstream provider in provider/shim/go.mod
2. cd provider/shim && go mod tidy
3. cd ../ && go mod tidy

This will become increasingly important as upstream TF providers adapt to current best practices for TF providers.

Instead of copying all the config values to each provider repo, we need to add organization secrets

The custom GH Action we use to build our Docker images was created at a time when the official Docker GH actions were not adequate for our needs.

Investigate whether we can move away from maintaining a custom GH Action in favor of one of the following, in order of preference:

1. Official Docker actions
2. Straight run (shell) commands.

We're currently using the pulumi org in the SaaS for tests, we need to use the moolumi org

We currently generate the github actions configuration programmatically, but we could also generate the goreleaser config and golangci-lint config because it's also a YAML configuration file

During the initial prerequisites step of our build, we need to ensure there's no changes to the schema and fail so we don't generate an artifact that isn't valid

Create a PoC to automate the updating of Terraform provider forks. The process is documented in https://github.com/pulumi/platform-providers-team/blob/main/playbooks/tf-provider-updating-forks.md

• kong
• spotinst - getting permission issues with the AWS keys
• mailgun
• digitalocean
• rancher2
• keycloak
• gitlab
• auth0
• mongodbatlas
• github
• pagerduty

There are various parts of the publish script that use travis environment variables which we need to remove

We have had several builds fail/error in our existing build process because they didn't generate a valid semver tag (for example, v.3.3.3 is not valid)

If we're performing a build, we should verify that the version is valid semver, and fail if it isnt.

update-upstream-provider assumes that there's no /v2 suffix to a reference when it's updated. We need to add support for this, as terraform-provider-artifactory is one of the few providers that do add the suffix.

We should maybe make this configurable in the config.yaml file of each provider?

@jaxxstorm

A provider can't support an SDK dependency that is a more recent version than the version referenced in pulumi-terraform-bridge. Therefore, we should look up the SDK version programmatically instead of allowing it as an arbitrary parameter.

Our current binaries can get quite large, especially for some of the larger provider plugins:

du -sh /Users/lbriggs/src/git/pulumi/pulumi-aws/dist/pulumi-aws_darwin_amd64/
329M	/Users/lbriggs/src/git/pulumi/pulumi-aws/dist/pulumi-aws_darwin_amd64/

If we add the -w and -s LDFLAGS, we get:

du -sh /Users/lbriggs/src/git/pulumi/pulumi-aws/dist/pulumi-aws_darwin_amd64/
287M	/Users/lbriggs/src/git/pulumi/pulumi-aws/dist/pulumi-aws_darwin_amd64/

If we strip the binary further using upx

du -sh /Users/lbriggs/src/git/pulumi/pulumi-aws/dist/pulumi-aws_darwin_amd64/
 56M	/Users/lbriggs/src/git/pulumi/pulumi-aws/dist/pulumi-aws_darwin_amd64/

We should make use of this if possible

Each provider needs to have the github actions build configuration added to it

note this issue is to track COMPLETED migrations, including publishing

• pulumi-aws
• pulumi-azure
• pulumi-azuread
• pulumi-gcp
• pulumi-random
• pulumi-docker
• pulumi-datadog
• pulumi-cloudflare
• pulumi-postgresql
• pulumi-mysql
• pulumi-cloudamqp
• pulumi-newrelic
• pulumi-openstack
• pulumi-tls
• pulumi-vsphere
• pulumi-packet
• pulumi-linode
• pulumi-signalfx
• pulumi-alicloud
• pulumi-kafka
• pulumi-vault
• pulumi-dnsimple
• pulumi-rabbitmq
• pulumi-aiven
• pulumi-pagerduty
• pulumi-mailgun
• pulumi-keycloak
• pulumi-kong
• pulumi-github
• pulumi-mongodbatlas
• pulumi-auth0
• pulumi-gitlab
• pulumi-rancher2
• pulumi-digitalocean
• pulumi-consul
• pulumi-f5bigip
• pulumi-fastly
• pulumi-okta
• pulumi-spotinst - aws key permission errors

fill in

In update-upstream-provider, we should provide a better error message and immediately fail the build if we cannot find the supplied upstream revision, rather than failing go mod edit .....null.

This can be as simple as writing a message to stderr and executing false, since the step is of type run (i.e. a Bash script).

We currently expect a semver to be passed to the update-upstream-provider and update-bridge workflows - the workflow itself will tack on the "v" prefix that go module tags expect. This constraint is unnecessarily rigid in that go mod edit will accept any valid git ref - it does not need to be, e.g. v1.2.3.

Accepting a ref instead of a semver will enable us to do a few things:

1. Semi-automate provider upgrades for forked providers, e.g. because we can pass upstream-v1.2.3 as an argument.
2. Update the bridge to an arbitrary tag for a provider, e.g. to test some beta functionality.

This includes:

• * pulumi-kubernetes
• * crd2pulumi
• * tf2pulumi
• * kube2pulumi
• * pulumi-eks
• * pulumi-awsx
• * pulumi-apigateway

and start to build common workflows between these systems

One of the more frustrating elements of the build process is dealing with the Makefile syntax we're currently using:

• It's difficult to generate Makefiles programmatically
• The syntax doesn't lend itself well to multi stage builds
• It's quickly becoming complex

Ideally, we could try and replace this with a task runner which will allow us to generate these files programmatically with jk.

I've had some success before with https://github.com/go-task/task which uses a YAML config file, so we should try it out

In the following PR, we triggered a run of the integration tests, but the link back to the actions run was apparently null: pulumi/pulumi-aws#1792

Looks like the issue is that the step is called var, but is referenced as vars:

    - id: var
      name: Create URL to the run output
      run: echo ::set-output name=run-url::https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID
    - name: Update with Result
      uses: peter-evans/create-or-update-comment@v1
      with:
        body: Please view the PR build - ${{ steps.vars.outputs.run-url }}

The release build is missing the Slack notification step, which means we won't know if a release fails. We should add it.

As part of the pre-requisite steps, we should tar.gz the binaries to be faster and more efficient for storage

This cron should do everything that the default run does EXCEPT the publish step

We only have the ability to deploy updates in workflows to all providers. We also would find it useful to have the ability to deploy a single provider.

This PR added support for a new env var to fix our go integration testing setup.

We need to roll this env var out to all of the providers and do a sweep of the go integration tests as some of them have dependencies that need to be updated. They should be in the form:

github.com/pulumi/pulumi-REPO/vN

See an example of a typo here:

https://github.com/pulumi/pulumi-aws/blob/master/examples/examples_go_test.go#L19

A failed update-upstream-provider workflow attempt (e.g. because there are new resources) currently alerts to #builds in Slack. The failed attempt is not actually an alert-type occurrence because while it requires human intervention to add the mappings, it's not urgent.

The failed attempt should instead add a comment to the linked issue (if provided) indicating the automation attempt failed.

In addition, will need to change the code here to ignore the workflow in the #builds channel. <-- @stack72 took care of this

Python tests running in GHA are failing in pulumi/examples, pulumi/pulumi-azure, etc.

The integration tests run pipenv run pip install -r requirements.txt to install dependencies in the virtual environment created by Pipenv. That's how it's supposed to work, but it looks like in the GHA runner it's installing the dependencies globally, so when pipenv pulumi up is run, it can't find any of the dependencies because they weren't installed in Pipenv's virtual environment (they were installed globally, which isn't visible to the python in the virtual environment):

 Diagnostics:
   pulumi:pulumi:Stack (aws-py-s3-folder-p-it-fv-az60-aws-py-s3--92dffaeb):
     Traceback (most recent call last):
       File "/home/runner/.pulumi/bin/pulumi-language-python-exec", line 14, in <module>
         import pulumi
     ModuleNotFoundError: No module named 'pulumi'
     It looks like the Pulumi SDK has not been installed. Have you run pip install?
     If you are running in a virtualenv, you must run pip install -r requirements.txt from inside the virtualenv.

     error: an unhandled error occurred: Program exited with non-zero exit code: 1

phase 2 of the provider build migration happens after #7 but before #2

• add pypi publish key to org secrets
• add nodejs publish key to org secrets
• add nuget publish key to org secrets
• add SDK publish task to each release action
• disable publishing in travis config

An extra mapping should fail the build for all providers.
A missing mapping should fail the build for all providers except yandex and alicloud.

We don't have an indicator in the workflow files that they are automatically generated and will be overwritten when this repo is pushed. We should insert a into each generated comment like:

# This file is automatically generated.  Any content added to this file risks being overwritten.
# To make changes to the content of the file, see: https://github.com/pulumi/ci-mgmt/

Because our current templating tool jk doesn't support comments, we'd likely have to use bash to implement, probably using one of the answers here: https://superuser.com/questions/246837/how-do-i-add-text-to-the-beginning-of-a-file-in-bash

Spruce up the README:

• Ensure MD lint passes.
• Add additional instructional content, explanation.

• Ensure that the major-version of each provider is reflected in this repo (@stack72 TO-DO)
• Swap out the use of MP to be a GHA
  • We build a dynamic matrix (https://tomasvotruba.com/blog/2020/11/16/how-to-make-dynamic-matrix-in-github-actions/) to fuel out GHA
  • generate scripts for ALL providers
  • foreach provider
    • checkout provider repo
    • copy the files across
    • open a PR

update-upstream-provider assumes master for the default branch, which breaks on pulumi-artifactory, which has a default branch named main. We need to allow for both cases easily.

1. Ensure that the update-bridge workflow is complete and accurate. (make tfgen build_sdks, go mod edit command is correct)
2. Extend the workflow to accept a Pulumi version which will update the Pulumi SDK dependency in both the provider/go.mod and sdk/go.mod.
3. Ensure the workflow works for shim-ed providers. <-- n/a - the bridge is not referenced in the shim
4. Create a workflow_dispatch-triggered workflow to which invokes the update-bridge workflow for all bridged providers, similar to the work we did that submits a PR for all providers for changes to workflows defined in this repo.
5. Ensure that the platform integrations team is added as a reviewer for any generated PRs

https://github.com/pulumi/pulumi-azure/runs/1200350756?check_suite_focus=true#step:1:13

Artifactory uses main as default branch so we need to make this configurable in our update PRs

@komalali I am going to tag you here as my person to talk through a UX with as you mentioned that it would be nice to have :D

the last missing part of the build is generating docs for release artifacts

This will simplify the top level Makefile and push provider specific targets into the SDKs

This is based on the work that is currently being done in pulumi/pulumi

https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/